academy
Security
Security
See all Security articles
Privacy
Privacy
See all Privacy articles
Performance
Performance
See all Performance articles
Select language
Select language
Avast Academy Security Other Threats Social Engineering and How to Prevent It

Social Engineering and How to Prevent It

In any security chain, humans are almost always the weakest link, because we’re susceptible to all kinds of manipulative tactics. Social engineering techniques take advantage of this human vulnerability to trick victims into divulging private information. Learn how to spot a social engineering attack and how strong security software like Avast One can help prevent you from falling victim to social engineering ploys.

PC-editors-choice-icon
2021
Editors' choice
tech-radar-icon
2021
Editor's choice
AV-Test-Top-product-icon
2021
Top Rated
Product
What_Is_Social_Engineering-Hero

What is social engineering?

Social engineering is the practice of using psychological techniques to manipulate behavior. Social engineering happens by exploiting human error and encouraging victims to act against their interests. In information security, the social engineering definition refers to getting people to divulge private data online like login details or financial information.

Hamburguer menu icon

This article contains:

    In other contexts, social engineering means something slightly different. In the social sciences, for example, social engineering is simply the effort to psychologically influence social behaviors on a larger, group scale. That can include encouraging people to behave well on public transit, stop smoking, or even support political revolution.

    Here, we’ll focus on social engineering in the information security context, where hackers deploy techniques online to gain access to confidential information. In this digital realm, social engineering can be defined as a cybercrime.

    How does social engineering work?

    Social engineering works by taking advantage of people’s cognitive biases. A social engineering attacker poses as someone likable, trustworthy, or authoritative and tricks the victim into trusting them. Once the victim trusts the attacker, they’re manipulated into handing over private information.

    Unfortunately, there are many cognitive biases that attackers can exploit to their advantage, snatching victims’ private data right out from under their noses. Social engineering techniques exploit this tendency toward trust in many different ways.

    Types of social engineering attacks

    One of the best ways to protect yourself from a social engineering attack is to learn about the common methods used in social engineering. These days, social engineering happens frequently online, even via social media scams, where attackers pose as a trusted contact or authority figure to manipulate people into exposing confidential information.

    Here are other common types of attacks in the social engineering toolkit:

    Phishing

    Phishing is a type of social engineering attack in which communications are disguised to appear to come from a trusted source. These messages — often emails — are designed to trick victims into giving away personal or financial information. After all, why should we doubt the authenticity of an email that comes from a friend, family member, or business we know? Phishing scams take advantage of this trust.

    Spear phishing

    Spear phishing is a type of social engineering attack that targets big businesses or specific individuals. Spear phishing attacks are highly targeted toward powerful small groups or people, like corporate executives and celebrities. Social engineering attacks that use this method are often well-researched and insidiously disguised, making them difficult to detect.

    Vishing

    Vishing, also known as “voice phishing,” is a sophisticated form of phishing attack. In these attacks, a phone number is usually spoofed to appear legitimate — attackers might disguise themselves as IT personnel, fellow employees, or bankers. Some attackers may also use voice changers to further conceal their identity.

    Smishing

    Smishing is a type of phishing attack that comes in the form of text (SMS) messages. These types of attacks usually solicit immediate action from a victim, by including malicious links to click or phone numbers to call. They often ask victims to disclose personal information that the attackers can use for their benefit. Smishing attacks often convey a sense of urgency to get victims to act quickly and fall for the attack.

    Whaling

    Whaling is one of the most ambitious phishing attacks out there, with catastrophic consequences. This type of social engineering attack is usually aimed at one high-value target. Whaling is sometimes referred to as “CEO fraud,” which gives you an idea of a typical mark. Whaling attacks are harder to identify than other phishing attacks, because they successfully adopt an appropriate businesslike tone of voice and use insider industry knowledge to their advantage.

    Baiting

    Social engineering attacks don’t always originate online — they can start offline, too. Baiting refers to when an attacker leaves a malware-infected device — such as a USB drive — where someone is likely to find it. These devices are often intentionally labeled to entice curiosity. If a curious (or greedy) person picks up the device and plugs it into their own computer, they may unwittingly infect their device with malware.

    Scareware

    Scareware is a type of malware that uses social engineering to scare people into downloading fake security software or visiting a malware-infected site. Scareware usually appears in the form of pop-ups, claiming to help you remove a computer virus that supposedly exists on your device. Once you click the pop-up, you’re redirected to a malicious site or unknowingly install even more malware.

    If you suspect you have scareware, or another type of obtrusive pop-up, regularly scan your PC with a trusted virus removal tool. Periodically scanning your device for threats is good digital hygiene. It can help prevent future social engineering attacks, and can even help keep your private data safe.

    Pretexting

    Pretexting involves creating a fake scenario, or “pretext,” that scammers use to trick their victims. Pretexting attacks can happen online or off, and are among the most effective tricks for a social engineer — attackers do a lot of research to pass themselves off as authentic.

    It’s not easy to see through a pretexter’s ruse, so be careful when sharing confidential information with strangers. And if someone calls you with an urgent issue, contact the organization yourself to rule out a social engineering attack.

    Honey trap

    A honey trap is a type of social engineering scheme where an attacker lures a victim into a vulnerable sexual situation. The attacker then uses the situation as an opportunity for sextortion or other type of blackmail. Social engineers often set honey traps by sending spam emails in which they claim to have been “watching you through your webcam” or something equally sinister.

    If you receive an email like this, check to make sure your webcam is secure. Then, simply keep calm and don’t respond — these emails are nothing more than spam.

    Email spamming

    Email spamming is one of the oldest forms of online social engineering and is responsible for essentially all the junk in your inbox. At best, email spam is annoying; at worst, it’s not just spam but a scam to get your personal information. A lot of email servers automatically screen for malicious spam, but the process isn’t perfect and sometimes dangerous emails slip through.

    The methods outlined above are the most common types of social engineering attacks used to access victims’ personal information. Attackers keep finding new ways to trick humans and computers alike, especially through finding more creative ways to use the long-standing social engineering methods like email spamming and pretexting.

    At Avast, we stay on top of these evolving online threats by constantly updating the threat-detection engine that powers Avast One, our comprehensive security and privacy app. Plus, our built-in anti-phishing web shield technology will make sure you don’t unintentionally land on a phishing site. Download Avast One for real-time protection against social engineering attacks, as well as malware and other online threats.

    How to prevent social engineering

    The best way to prevent social engineering attacks is to know how to spot them. Once you’re already caught in a social engineer’s web, it can be difficult to disentangle yourself. Thankfully, you don’t need to be a tech expert to practice good social engineering prevention — just use your intuition and some old-fashioned common sense.

    Change your spam email settings

    One of the easiest ways to protect yourself from social engineering attacks is to adjust your email settings. You can strengthen your spam filters and prevent social engineering scam emails from slipping into your inbox. The procedure for setting spam filters may vary depending on the email client you use, and you should also check out our guide to blocking spam texts.

    You can also add the email addresses of people and organizations you know are legitimate directly to your digital contact lists — anyone in the future claiming to be them but using a different address is likely a social engineer.

    Research the source

    If you receive an email, SMS, or phone call from an unfamiliar source, enter it into a search engine and see what comes up. If it’s part of a known social engineering attack, the sender may have been flagged before. Even if the sender looks legitimate, check anyway, because the email address or phone number may turn out to be only slightly different from the real source — and it may be tied to an unsafe website.

    This method doesn’t always work if the phone number has been spoofed as part of the social engineering attack. If a web search doesn’t raise any red flags, another way to prevent an attack is to directly contact the organization claiming to have contacted you.

    If it sounds too good to be true, it probably is

    Basic critical thinking skills are one of the best ways to prevent a social engineering attack from happening to you. Recent social engineering attacks carried out on Twitter involved celebrities like Elon Musk and Bill Gates appearing to tweet out offers to give away thousands of dollars in Bitcoin... if followers only gave them $1,000.

    If celebrities promising to give away thousands of dollars in Bitcoin sounds too good to be true, it probably is. In this form of social engineering attack, intuition and common sense can go a long way. Be wary of offers that tout lavish rewards in exchange for a seemingly small fee. And if the solicitation seems to come from someone you know, ask yourself, “Would they really ask me for information in this way?”

    Use reliable security software

    You can save time, the hassle of checking sources, and still prevent social engineering attacks by using trusted antivirus software to flag suspicious messages or websites. Security software detects and blocks malware and identifies phishing attacks before they can lure you in.

    Examples of real social engineering attacks

    Have you ever been socially engineered? You may not have noticed, because in real life social engineering attacks take on many different forms. In information security, social engineering attacks often appear as an email, text, or voice message from a seemingly innocuous source. You might think you can spot a suspicious email on your own, but attackers have gotten much more sophisticated with their delivery.

    The following real-life examples show that even organizations and individuals with sophisticated defenses against cyberattacks and resources for social engineering prevention can still fall victim.

    2020: Twitter

    In 2020, Twitter became the site of social engineering attacks in which the accounts of Barack Obama, Bill Gates, Elon Musk, and others were hacked in an attempt to solicit Bitcoin from their followers. The creators of the social engineering attack earned nearly $120,000 in Bitcoin, but the bigger danger was the clear access the hackers gained to celebrity accounts — although, reportedly, no personal data was compromised.

    2019: Tinder Swindler

    Dating back to 2011, the infamous “Tinder Swindler” continuously tricked victims into paying for a lavish lifestyle via a string of romance scams. He used a combination of manipulation, love bombing, and lying to get away it — eventually stealing around $10 million in his final two years of social engineering trickery. In 2019 he was convicted, and in 2022 the swindler fell for a scam himself, losing almost $7,000 of his hard-earned (scammed) cash.

    2018: Vacation rentals

    In 2018, vacation-rental phishing scams — in which hackers impersonate landlords offering real vacation listings — were so common that the US Federal Trade Commission issued a warning about them. In many cases, real landlords’ contact details were hacked, leaving victims to think that they were discussing a rental with the actual owner.

    2017: Ethereum Classic

    The 2017 hack of Ethereum Classic cryptocurrency, where hackers impersonated the owner of Classic Ether Wallet, was another high-profile, real-life social engineering scam. The hackers stole thousands of dollars in cryptocurrency from unsuspecting users. These days, social engineering scams are still prevalent in the Bitcoin community, and protecting against cryptojacking has become a high priority.

    2016: Democratic Party

    The email hack of the US Democratic Party in the middle of the 2016 US Presidential election is one of the most iconic social engineering attacks in recent memory. Russian hackers released a spear phishing attack against Democratic campaign leaders, which let them exfiltrate sensitive campaign information and voter data from nearly 500,000 voters.

    2015: Ubiquiti Networks

    In 2015, the prominent network technology manufacturer Ubiquiti lost $46 million after the email of a Ubiquiti Networks employee was hacked. The employee’s credentials were then used by fraudsters to request falsified wire transfers through the company’s finance department.

    2014: Sony Pictures

    Another famous social engineering attack was the 2014 cyberattack on Sony Pictures, when North Korean hackers sent phishing emails disguised as Apple ID verification emails to Sony Pictures employees. The hackers then used the login credentials to wipe Sony’s networks and steal financial records and other private data from the company.

    Why is social engineering so dangerous?

    Social engineering can happen to anyone — in person, over the phone, or online — and it’s also a fairly easy method to use when carrying out scams, fraud, or other crimes. Social engineers don’t need to have strong technical skills; they just need to be able to trick you into handing over sensitive data.The fact that we’re all at risk makes it a potentially devastating scam.

    Social media has helped social engineers get more savvy, letting them set up fake profiles that can easily pass as real, or even impersonating real people. Always stay vigilant when looking at strange or unknown profiles on social media.

    The manipulative tactics of social engineering are insidious. Often, victims of social engineering don’t even realize they’re being manipulated until it’s too late. While cognitive biases may have adaptive purposes, they can certainly be used against us. Social engineering attacks trawl for users’ private information, and that can lead to identity theft, extortion, and more.

    Social engineering techniques exploit peoples' sense of trust.Social engineering attacks often come from apparently trustworthy sources.

    It’s not just finances that are at stake — sometimes victims’ credit scores and online reputations tumble, and debt in their name can skyrocket. While such situations are reversible, it can take a long time and endless communication with authorities to clear your name. Using cybersecurity software will help, but it doesn’t make your brain hack-proof. The best way to prevent social engineering attacks is to learn how to recognize them when you see them.

    If you think you’ve fallen victim to a social engineering attack and someone has accessed your personal information, Avast BreachGuard can help. BreachGuard has features that help it scan the dark web to check if your personal information has leaked, and it will guide you in how to respond if it has.

    And if your info finds its way onto data broker databases, Avast BreachGuard will help you remove it and assess your security protocols to ensure it doesn’t happen again. Don’t become a victim of social engineering attacks — get BreachGuard today and start shoring up your digital defenses immediately.

    Who’s most at risk from social engineering?

    Anyone can be a victim of a social engineering attack, because we all have cognitive biases we’re not always aware of. People who lack tech-savviness or are more socially isolated — such as the elderly — may be more vulnerable. But technological know-how alone, even in business, can’t protect people from psychological manipulation.

    Protect yourself against social engineering attacks

    When it comes to social engineering attacks, an ounce of prevention is worth a pound of cure. In many cases, there is no cure to social engineering other than changing your passwords and absorbing financial losses with as much dignity as you can muster.

    As powerful as the human brain is, it can still lead us astray. That’s where Avast One comes in. Avast One uses smart analytics to detect and block the types of attacks that social engineers love to deploy before those attacks can infect you. Avast One also scans suspicious files before you inadvertently open them, and it will help you patch cracks and other exploitable vulnerabilities in your system.

    Best of all? Avast One is completely free and features a built-in web shield for dedicated phishing protection, so you’ll never fall victim to social engineering in your inbox. Don’t delay — start protecting yourself today.

    Get ironclad online protection for your Android phone with Avast One

    FREE INSTALL

    Get ironclad online protection for your iPhone with Avast One

    FREE INSTALL